Tags: , view all tags

Certification report patch 3407

Author: Elisabetta Molinari elisabetta.molinari@mi.infn.it

Outcome: Certified

Certification report patch 3407

Automatic tests

tests on voms core were run automatically as a result of a build in etics, see here

voms-admin automatic testing---> run the voms-cli tests from the testsuite here

, after adjustying the error messages to the new ones:

here's a result of the command './myCheck-VOMS -n voms-rd02-21.cnaf.infn.it -l test-sequence.lst.voms-admin'

Test VOMS-addMember   - OK
Test VOMS-assignRole   - OK
Test VOMS-crAttribute   - OK
Test VOMS-crGroup   - OK
Test VOMS-crRole   - OK
Test VOMS-crUser   - OK
Test VOMS-crUserNocert   - OK
Test VOMS-delAttribute   - OK
Test VOMS-delGroup   - OK
Test VOMS-delGroupAttribute   - OK
Test VOMS-delRole   - OK
Test VOMS-delRoleAttribute   - OK
Test VOMS-delUser   - OK
Test VOMS-delUserAttribute   - OK
Test VOMS-dismissRole   - OK
Test VOMS-listAttributes   - OK
Test VOMS-listGroupAttributes   - OK
Test VOMS-listGroups   - OK
Test VOMS-listMembers   - OK
Test VOMS-listRoleAttributes   - OK
Test VOMS-listRoles   - OK
Test VOMS-listSubGroups   - OK
Test VOMS-listUserAttributes   - OK
Test VOMS-listUserGroups   - OK
Test VOMS-listUserRoles   - OK
Test VOMS-listUsers   - OK
Test VOMS-listUsrWithRol   - OK
Test VOMS-removeMember   - OK
Test VOMS-setGroupAttribute   - OK
Test VOMS-setRoleAttribute   - OK

here's the full result report

voms-core automatic testing, run the voms-core tests from the testsuite here

here's a result of the command './myCheck-VOMS -n voms-rd02-21.cnaf.infn.it -l test-sequence.lst.voms-core':

Test VOMS-pr-attr   - OK
Test VOMS-pr-bits   - OK
Test VOMS-pr-cert   - OK
Test VOMS-pr-conf   - OK
Test VOMS-pr-dbg   - OK
Test VOMS-pr-genattr   - OK
Test VOMS-pr-hlp   - OK
Test VOMS-pr-hours   - OK
Test VOMS-pr-ign   - OK
Test VOMS-pr-key   - OK
Test VOMS-pr-limit   - OK
Test VOMS-pr-list   - OK
Test VOMS-pr-noreg   - OK
Test VOMS-pr-order   - OK
Test VOMS-pr-out   - OK
Test VOMS-pr-pver   - OK
Test VOMS-pr-pwst   - OK
Test VOMS-pr-quiet   - OK
Test VOMS-pr-RoleOrder   - OK
Test VOMS-pr-usg   - OK
Test VOMS-pr-valid   - OK
Test VOMS-pr-verify   - OK
Test VOMS-pr-vers   - OK
Test VOMS-pr-vlf   - OK
Test VOMS-pr-vomses   - OK
Test VOMS-pr-warn   - OK

here's the full result report

Clean installation

installation steps:

 wget http://etics-repository.cern.ch:8080/repository/pm/volatile/repomd/id/fa01c264-37cc-4539-a3b3-da59486a13dd/sl5_x86_64_gcc412/etics-volatile-build-by-id.repo
yum install glite-VOMS_mysql
yum install lcg-CA

here's the yum install log

here's the updated yum install log

configuration steps:

copy siteinfo.def and services/glite-voms_mysql from '/opt/glite/yaim/examples/siteinfo' into your favourite dir. Rename glite-voms_mysql as glite-voms
Set yaim variables as specified here https://twiki.cern.ch/twiki/bin/view/LCG/Site-info_configuration_variables
Launch  '/opt/glite/yaim/bin/yaim -c -s site-info.def -n VOMS'

yaim configuration log

yaim configuration files used:

cat ~/siteinfo/site-info.def
# Uncomment this variable if you are installing a mysql server
# It is the MySQL admin password. 
MYSQL_PASSWORD="admin"


# Human-readable name of your site
SITE_NAME=voms-sa3-italia

##############################
# VO configuration variables #
##############################
# If you are configuring a DNS-like VO, please check
# the following URL: https://twiki.cern.ch/twiki/bin/view/LCG/YaimGuide400#vo_d_directory

# Space separated list of VOs supported by your site
VOS="sa3test vomstest"
-----------------------------------------------------------------

cat ~/siteinfo/services/glite-voms
# VOMS server hostname
VOMS_HOST=localhost

# Hostname of the database server. Put 'localhost'
# if you run the database on the same machine.
# This parameter can be specified per VO in the following way:
# VO_<vo_name>_VOMS_ADMIN_DB_HOST
VOMS_ADMIN_DB_HOST='localhost'

VO_SA3TEST_VOMS_DB_HOST="voms-rd02-21.cnaf.infn.it"
VO_SA3TEST_VOMS_DB_TYPE="mysql"
VO_SA3TEST_VOMS_DB_USER="sa3test_user"
VO_SA3TEST_VOMS_DB_PASS="pwd"
VO_SA3TEST_VOMS_DB_NAME="db_sa3test"
VO_SA3TEST_VOMS_PORT="15001"

VO_VOMSTEST_VOMS_DB_HOST="voms-rd02-21.cnaf.infn.it"
VO_VOMSTEST_VOMS_DB_TYPE="mysql"
VO_VOMSTEST_VOMS_DB_USER="vomstest_user"
VO_VOMSTEST_VOMS_DB_PASS="pwd1"
VO_VOMSTEST_VOMS_DB_NAME="db_vomstest"
VO_VOMSTEST_VOMS_PORT="15002"

VOMS_ADMIN_SMTP_HOST="localhost"
VOMS_ADMIN_MAIL="elisabetta.molinari@mi.infn.it"
VOMS_DB_DEPLOY="true"
-----------------------------------------------

Upgrade from production

Since this is the first release of VOMS for SL5, only the upgrade of the mysql backend has been tested. Following the basic steps of a sample upgrade:

- dump the old database  on the old VOMS server and transfer the file to the new node: mysqldump -h <OLD_HOSTNAME> -u <USER> -p --databases <DB_NAME> > <DUMP_FILE>
- mysql -u root -p < dbsa3test; mysql -u root -p < dbvomstest;
- grant all on *.* to 'root'@'voms-rd02-21.cnaf.infn.it' identified by 'admin';
- grant all on db_sa3test.* to 'sa3test_user'@'voms-rd02-21.cnaf.infn.it' identified by 'admin';
- grant all on db_sa3test.* to 'sa3test_user'@'localhost' identified by 'admin';
- grant all on db_vomstest.* to 'vomstest_user'@'voms-rd02-21.cnaf.infn.it' identified by 'admin';
- grant all on db_vomstest.* to 'vomstest_user'@'localhost' identified by 'admin';
- synchronize yaim conf files from the old machine with the new one, i.e. make sure username and password for the VO databases are the same 
- launch yaim configuration after setting yaim variable  VOMS_DB_DEPLOY to 'false' in the siteinfo.def or the services/glite-voms file
- re-start tomcat
- launch upgrade VO, for each VO as in the following: /opt/glite/sbin/voms-admin-configure upgrade --vo=sa3test
- re-start voms server and voms-admin
- register the VOMS host identity as a default admin  -->/opt/glite/sbin/voms-db-deploy.py add-admin --vo sa3test --cert /etc/grid-security/hostcert.pem

here's an upgrade log

Check Bugs:

Voms Admin 2.5-cli

BUG #38150: "Extend member status in voms-admin" FIXED
- checked that active and suspend status are present in the voms-admin webapp.
BUG #38151: "Implement member institutional expiration in voms-admin" FIXED
BUG #43127: "implement in voms-admin VO membership expiration bound to AUP version" FIXED
BUG #43129: "implement in voms-admin an authorisation-aware web UI" FIXED
BUG #43130: "multiple certificate support" FIXED
BUG #43189: "allow user to request his/her inclusion in a Group/Role in voms-admin" FIXED
BUG #43264: "voms-admin to keep user Registration Data in the VOMS database" FIXED

BUG #60328

: "remove-certificate does not work" FIXED

tried with a non-existent pair DN/CA as in the following:

 voms-admin --vo sa3test --nousercert remove-certificate '/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Elisabet' '/C=IT/O=INFN/CN=INFN'
org.glite.security.voms.admin.database.NoSuchCertificateException: No certificate found matching subject '/C=IT/O=INFN/OU=Personal Certificate/L=CNAF/CN=Elisabet, /C=IT/O=INFN/CN=INFN'.

BUG #60329

: "Not possible to restore a certificate from the command line" FIXED

launch

voms-admin --vo sa3test suspend-certificate .globus/usercert.pem 'security incident'

launch

voms-admin --vo sa3test restore-certificate .globus/usercert.pem

BUG #60337: "Locks held on access denied when processing membership requests" FIXED
- Actually this, and all the other bugs regarding locks not being well manages, were due to an improper management of the hibernate session when exceptions were raised. This is fixed in the code now.
BUG #60483: "Unhandled exception when deleting groups containing subgroups & locks held" FIXED
- create a group as for ex:
```
voms-admin --vo sa3test create-group testgroup
```
- create a subgroup as for ex:
```
voms-admin --vo sa3test create-group testgroup/testsubgroup
```
- try to delete the parent group 'testgroup' from the webadmin
- no exception is returned but an error message as the following: "The group testgroup cannot be deleted since it contains subgroups"

BUG #51657

: "delete-user does not treat Email= and emailAddress= as equivalent" FIXED

given the following usercert:

openssl x509 -in cas/ca2/certs/08.pem -text -noout | more
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8 (0x8)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: DC=CH, DC=CERN, OU=EMAILCA, CN=emailca.cern.ch/emailAddress=emailca@cern.ch
        Validity
            Not Before: Mar  8 20:32:58 2010 GMT
            Not After : Mar  8 20:32:58 2011 GMT
        Subject: DC=CH, DC=CERN, OU=EMAILCA, CN=Test user 3/emailAddress=test_user_3@emailca.cern.ch
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption

created a new user from the voms cli as in the following:

voms-admin --vo sa3test create-user cas/ca2/certs/08.pem
 voms-admin --vo sa3test list-users
..........
/DC=CH/DC=CERN/OU=EMAILCA/CN=Test user 3/Email=test_user_3@emailca.cern.ch, /DC=CH/DC=CERN/OU=EMAILCA/CN=emailca.cern.ch/Email=emailca@cern.ch - test_user_3@emailca.cern.ch

tried to delete the user:

 voms-admin --vo sa3test delete-user cas/ca2/certs/08.pem
org.glite.security.voms.admin.persistence.error.NoSuchUserException: User '/DC=CH/DC=CERN/OU=EMAILCA/CN=Test user 3/Email=test_user_3@emailca.cern.ch,/DC=CH/DC=CERN/OU=EMAILCA/CN=emailca.cern.ch/emailAddress=emailca@cern.ch' not found in org.glite.security.voms.admin.persistence.error!
voms-rd02-21

BUG #54613

: "voms-admin-configure ignores --dbhost option when configuring mysql VO" FIXED

launched the following:

voms-admin-configure install --vo adminDeploy --createdb --deploy-database --dbtype mysql --dbhost cert-10.cnaf.infn.it --port 15002 --dbusername 'admin_Deploy' --dbpassword 'pwd' --mail-from elisabetta.molinari@mi.infn.it --verbose --smtp-host smtp.cnaf.infn.it --dbapwd 'admin'

BUG #54614: "voms-admin-configure should not try to create an administrator if the --skip-database option is set" FIXED
BUG #56065: "voms-admin email notification behaviour should be configurable" FIXED
BUG #58656: "Unique GAs handling exception" FIXED
BUG #60517: "Unhandled exception when adding ACL entry" FIXED
- add a new ACL entry for a non VO member
- add another ACL entry for a non VO member setting the same subject as for the member above and a different CA
- the following error message is returned:
```
An administrator with the given subject already exists. Choose a different subject!
Certificate subject: 
```
BUG #60600: "Problems with groups and roles having special characters in the name" FIXED
- It does not allow to create group and roles with special characters in the name
BUG #60604: "Error adding a default ACL for a group" FIXED
BUG #61292: "VOMS Admin 2.0.7 Client fails with some (non-ASCII?) characters" FIXED
BUG #59918: "NullPointerException during group creation with slash in the name" FIXED
BUG #59919: "No warning when creating a group in a read-only context" FIXED
- set the user to read only under '/sa3test/test'
- tried to create a group under '/sa3test/test' and the following is returned:
```
Insufficient privileges to execute 'CreateGroupOperation'.
```
BUG #59933: "Problem removing config backup" FIXED
BUG #59985: "'ALL' permission resolution" FIXED
- set an ACL permission for a member to ALL
- check in the voms admin webadmin the field for 'suspend' is set to yes
BUG #60256: "Unhandled 'UserAlreadyExists' Exception" FIXED
BUG #60264: "Uncought 'IllegalArgumentException' on request confirm" FIXED
- tried to click on the confirmation link twice
BUG #60265: "Other VOs list not complete" FIXED
BUG #60296: "Database session problems when wrong request confirmation parameters are submitted" FIXED
- Actually this, and all the other bugs regarding locks not being well manages, were due to an improper management of the hibernate session when exceptions were raised. This is fixed in the code now.
BUG #60308: "It is not possible to remove an AUP which has acceptance records" FIXED
BUG #60313: "Trigger reacceptance work only for the predefined AUP" FIXED
- defined a new AUP with a new version
- triggered re-acceptance to the existing members
BUG #60314: "Links in user AUP acceptance history displaying same AUP" FIXED

Voms core

see tests performed for patch #3142

-- ElisabettaMolinari - 2010-02-17

full_result: voms-cli full result report

yaimlog1: yaim configuration log

full_result_vomscore.html: full result voms core report

full_result.html: full result voms admin report

full_result.html.gz: full result voms admin report

full_result_vomscore.html.gz: full result voms core report

yum_install_log.gz: yum install log

yaimlog: yaim configuration log

upgrade_log.gz: upgrade log

yum_install_3407_1304: yum_install_3407_1304

Attachments

Topic attachments
I	Attachment	Action	Size	Date	Who	Comment
gz	full_result.html.gz	manage	2.2 K	2010-03-18 - 08:36	UnknownUser	full result voms admin report
gz	full_result_vomscore.html.gz	manage	3.9 K	2010-03-18 - 08:39	UnknownUser	full result voms core report
gz	upgrade_log.gz	manage	2.1 K	2010-03-23 - 09:29	UnknownUser	upgrade log
EXT	yaimlog	manage	33.3 K	2010-03-18 - 15:09	UnknownUser	yaim configuration log
EXT	yum_install_3407	manage	16.5 K	2010-04-13 - 07:28	UnknownUser	yum install 3407
EXT	yum_install_3407_1304	manage	7.6 K	2010-04-20 - 09:52	UnknownUser
gz	yum_install_log.gz	manage	2.4 K	2010-03-18 - 14:24	UnknownUser	yum install log

Topic revision: r34 - 2010-04-20 - ElisabettaMolinari

Account
- Log In

Edit
Attach